Microsoft Security Bulletin (MS00-086)
   
   Patch Available for Web Server File Request Parsing Vulnerability
   
   Originally posted: November 06, 2000
   Updated: November 30, 2000
   
Summary

   On November 06, 2000, Microsoft released the original version of this
   bulletin, announcing the availability of a patch that eliminates a
   security vulnerability in Microsoft® Internet Information Services
   5.0. The vulnerability could enable a malicious user to run operating
   system commands on a web server. Since its original issuance, the
   bulletin has been updated several times:
     * On November 10, 2000, the bulletin was updated to clarify the
       scope of the issue.
     * On November 21, 2000, it was updated to discuss two
       newly-discovered variants of the original vulnerability.
     * On November 30, 2000, it was updated to discuss a newly-discovered
       regression error in the IIS 5.0 patch and recommend that customers
       apply an updated version of the patch.
       
   The newly-discovered regression error only affects the IIS 5.0 version
   of the patch. It has no effect on the effectiveness of the patch
   against the vulnerability discussed here, but it does cause servers to
   be vulnerable to the Web Server Directory Traversal discussed in
   Microsoft Security Bulletin MS00-078, even if the patch provided in
   MS00-078 has been applied. Microsoft therefore recommends that all IIS
   5.0 customers apply the new patch provided below. It protects against
   both the Web Server File Request Parsing and Web Server Directory
   Traversal vulnerabilities. The IIS 4.0 version of the patch does not
   contain the error, and customers who have applied the IIS 4.0 patch do
   not need to take any action.
   
   Frequently asked questions regarding this vulnerability and the patch
   can be found at
   http://www.microsoft.com/technet/security/bulletin/fq00-086.asp
   
Issue

   When IIS receives a valid request for an executable file, it passes
   the name of the requested file to the underlying operating system for
   processing. However, due to an implementation flaw, it is possible to
   create a specially-malformed file request that contains both a file
   name and one or more operating system commands. Upon receiving such a
   request, IIS would pass the entire string to the operating system,
   which would first process the file and then execute the commands.
   
   The ability to execute operating system commands on the web server
   would enable a malicious user to take virtually any action that an
   interactively-logged on user could take. Although this would not give
   the malicious user administrative control over the server, it would
   nevertheless enable him to cause widespread damage. He could, for
   instance, add, delete or change files on the server, run code that was
   already on the server, or upload code of his choice and run it.
   
   There are three significant restrictions on type of file request that
   could be used to exploit this vulnerability:
     * The malicious user would need to request a .bat or .cmd file.
     * The file would need to exist.
     * The malicious user would need to have execute permissions on the
       file.
       
   Although these restrictions limit the scope of the vulnerability, it
   is important not to discount it. Many third-party software products
   for web servers install batch files by default. As a result, Microsoft
   recommends that all customers running affected versions of IIS verify
   whether their systems contain any .bat or .cmd files that can be
   executed by visitors to the site, and apply the patch immediately if
   this is the case. The patch for this issue also eliminates the Web
   Server Directory Traversal vulnerability discussed in Microsoft
   Security Bulletin MS00-078.
   
Affected Software Versions

     * Microsoft Internet Information Server 4.0
     * Microsoft Internet Information Services 5.0
       
Patch Availability

     * Internet Information Server 4.0:
       http://www.microsoft.com/ntserver/nts/downloads/critical/q277873
     * Internet Information Services 5.0:
       http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25547
       
   Note: The IIS 5.0 patch can be applied atop systems running either
   Windows 2000 Gold or Service Pack 1. It will be included in Windows
   2000 Service Pack 2.
   
   Note: The IIS 4.0 patch can be applied atop systems running Windows NT
   4.0 Service Pack 6a. It will be included in Windows NT 4.0 Service
   Pack 7.
   
   Note Additional security patches are available at the Microsoft
   Download Center 
   
More Information

   Please see the following references for more information related to
   this issue.
     * Frequently Asked Questions: Microsoft Security Bulletin MS00-086,
       http://www.microsoft.com/technet/security/bulletin/fq00-086.asp
     * Microsoft Knowledge Base (KB) article Q277873,
       http://www.microsoft.com/technet/support/kb.asp?ID=277873
     * Microsoft TechNet Security web site,
       http://www.microsoft.com/technet/security/default.asp
       
Obtaining Support on this Issue

   This is a fully supported patch. Information on contacting Microsoft
   Product Support Services is available at
   http://support.microsoft.com/support/contact/default.asp.
   
Acknowledgments

   Microsoft thanks  NSFocus (http://www.nsfocus.com) for reporting the
   original and new variants of this vulnerability to us and working with
   us to protect customers.
   
Revisions

     * November 06, 2000: Bulletin Created.
     * November 10, 2000: Bulletin updated to indicate that IIS 4.0 is
       affected when running on pre-SP6 versions of Windows NT 4.0, and
       to provide information on additional restrictions on the
       vulnerability.
     * November 21, 2000: Bulletin updated to discuss availability of
       patch that addresses new variants of vulnerability.
     * November 30, 2000: Bulletin updated to discuss regression error
       and recommend that customers apply updated patch.
       
   THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
   "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
   WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
   MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
   SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES
   WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS
   OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION
   OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
   SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
   CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY
   NOT APPLY.
   [spacer.gif] Send this document
   to a colleague [spacer.gif]
   [spacer.gif]
   Printer-friendly
   version
   
     Last updated November 30, 2000
     © 2000 Microsoft Corporation. All rights reserved. Terms of use.